angonz
commented
2 years ago I have opened a support request in AWS, and this is their response:
EKS worker nodes by default, are built off Amazon Linux 2 which is a RHEL based with AppArmor set to off. We do not ship with SELinux enabled for ease of use for all general customers. Ubuntu AMIs which are also available are supported by Canocial - by default they also ship with AppArmor turned off likely for the same reasons.
Unfortunately, AWS Support is not able to officially support AppArmor - if you choose to run them you would need to manage and troubleshoot yourself should you encounter any issues. By policy, AWS Support is only able to support official latest EKS AMIs without modification.
For this reason we recommend customers if going down the SELinux/AppArmor path to ensure they have adequate operation experience with them and to build their own custom AMI with their kernel security solution of choice embedded following the links below:
[https://aws.amazon.com/premiumsupport/knowledge-center/eks-custom-linux-ami/ ](https://aws.amazon.com/premiumsupport/knowledge-center/eks-custom-linux-ami/)
[https://github.com/awslabs/amazon-eks-ami ](https://github.com/awslabs/amazon-eks-ami)
Note: Custom AMIs are also unfortunately as per our policy, out of scope of support.
MoisesGSalas
MaferMazu
ladew222
Is your feature request related to a problem? Please describe. Codejail plugin currently does not work out of the box in K8s deployments because it requires the apparmor profiles to be set in the nodes
Describe the solution you'd like I would like the plugin to set the apparmor profiles in the K8s nodes transparently for the user.
Describe alternatives you've considered There is a previous discussion in the old Tutor forum. The Kubernets documentation mentions three alternatives to address this problem. The DaemonSet approach seems to be the most appropriate for this case.
Additional context As nodes depend on the underlying infrastructure, it can be a challenge to make something general.